AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface; suspicious primitives are tied to ioBroker Blink camera integration, video download, and local streaming. Runtime creates local helper objects/servers and contacts Blink services after adapter configuration.
Static reason
One or more suspicious static signals were detected.
Trigger
ioBroker adapter runtime with user-configured Blink credentials and optional streaming/live-view use
Impact
User-authorized Blink camera polling, snapshot/video storage, and local stream serving
Mechanism
Blink API client plus local MJPEG/HLS/video helper servers
Rationale
Static inspection found privileged runtime helpers, child process use, and local servers, but they are documented/package-aligned for ioBroker Blink camera live view and video serving. No install-time execution, unrelated exfiltration, destructive behavior, dependency confusion, or reviewer/AI control-surface mutation was found.
Evidence
package.jsonmain.jslib/blink-api.jslib/mjpeg-server.jslib/immi-live-hls.jslib/blink-liveview-iobroker.jslib/blink-video-url-server.json
Network endpoints4
api.oauth.blink.comrest-prod.immedia-semi.comrest-<tier>.immedia-semi.comcdnjs.cloudflare.com/ajax/libs/hls.js/1.5.20/hls.min.js
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- main.js installs/updates an ioBroker JavaScript object from lib/blink-video-url-server.json at runtime.
- lib/blink-video-url-server.json contains an enabled local server script using ioBroker exec for CLI fallback and live-view helpers.
- lib/immi-live-hls.js can spawn ffmpeg and a helper script for user-requested HLS live view.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; main entry is main.js for ioBroker runtime.
- Network code targets Blink/OAuth/API hosts and local streaming endpoints consistent with a Blink camera adapter.
- Blink credentials/tokens are used for Blink login/session/cache and debug logs redact sensitive fields.
- File writes are package-aligned snapshots/session/debug/HLS cache paths, not credential harvesting or arbitrary project mutation.
- HTTP file serving checks path traversal for video/HLS paths and MJPEG endpoints require a generated token.
Behavioral surface
ChildProcessCryptoDynamicRequireFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcelib/blink-video-url-server.jsonView file
8patternName = generic_password
severity = medium
line = 8
matchedText = "source"...\n",
Medium
Secret Pattern
Package contains a possible secret pattern.
lib/blink-video-url-server.jsonView on unpkg · L8main.jsView file
1694async startHlsProxy(devId, live) {
L1695: const { spawn } = require('node:child_process');
L1696: await this.startHlsServer();
High
5L6: const utils = require('@iobroker/adapter-core');
L7: const fs = require('node:fs');
Medium
lib/immi-live-hls.js#virtual:normalized:round1View file
9const path = require('node:path');
L10: const tls = require('node:tls');
L11: const http = require('node:http');
L12: const { spawn, spawnSync } = require('node:child_process');
L13:
L14: const SESSION_JSON = process.argv[2] || process.env.IMMI_SESSION_JSON || '/tmp/blink_liveview_session.json';
L15: const SERIAL = process.env.IMMI_SERIAL || process.env.BLINK_DEVICE_SERIAL || 'G8T1940153360515';
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/immi-live-hls.js#virtual:normalized:round1View on unpkg · L9Findings
2 High3 Medium4 Low
HighChild Processmain.js
HighSame File Env Network Executionlib/immi-live-hls.js#virtual:normalized:round1
MediumSecret Patternlib/blink-video-url-server.json
MediumDynamic Requiremain.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings